HANDLE Privacy Policy Privacy is a crucial aspect to us. This is not only in respect to your information, but also the information that is collected about your end users through the use of the HANDLE Platform. We will try to keep the text short and clear. Revised Sep 7th, 2021. This Privacy Policy describes how we collect, use, and disclose information that we obtain about you as the user of HANDLE website, product and Services, and your end users. It also includes important information about how you need to inform your end users about the use of HANDLE Services. Note that a you may belong in multiple categories depending on your relationship with HANDLE, and if you yourself use a software with HANDLE integration. By accessing and using our Services you agree to the HANDLE Privacy Policy. Contents: 1. Customer register 2. End User Register (Visitor IDs) 3. Marketing register 4. Website visitors / Cookie policy 5. General notes on security and sharing information 6. Links to Third-Party Websites and Services 7. Children’s Privacy 8. Changes to this Privacy Policy 9. Contact Us 1. Customer Register - Customer is a person that is or at some point has been a paying user of the HANDLE platform. HANDLE trial users are also considered as customers during their trial period, or as long as their account is triggering API calls to the HANDLE platform. In the case of a trial user, after the trial has ended or they are no longer triggering API calls to the HANDLE platform, a trial user is counted as a lead (see below under Marketing register). - This information is used for communicating important notices that are directly related to the customer’s use of our Services, such as account verification, billing confirmation, information about changes or updates in our Services, and technical or security notices. It is also used for giving support for the customer, as is listed in the SLA applicable to their account. In some cases, the register may also include payment information that is used for payment purposes. - This information is collected on information systems and equipment that are in use by the company and which are in compliance with the Local Data Protection Regulations requirements and are adequately protected. These include, but are not restricted to: CRM, chat software, email software, invoicing and credit card processing software, internal company documentation, company database, computers and mobile devices used by the company’s staff. - The information is collected from information provided by the customer themselves. - The information that we collect: -Name -Email -Phone number -Job title -User category (Marketer, salesperson, developer etc) -Twitter ID or other social media username -Notes on the interaction with the customer -IP-address and approximate location -Information on the device used to contact us (browser, platform, device, user agent) -Information on payment card (if the service is paid through a personal payment card) - A customer may modify this information collected about them by contacting our support at info@handlemaps.com. - As this information is needed for providing our Services to the customer, a customer may only be deleted from our register after a request, if they are no longer a paying customer, and more than 12 months have passed since the contract between HANDLE and the customer has terminated. This excludes any information written in invoices, receipts, contracts and other legally binding documents, which are preserved for legal purposes in perpetuity. 2. End User Register (Visitor IDs) - End user is someone who has downloaded a mobile application with HANDLE SDK integrated and activated in it. - Following the Local Data Protection Regulations terminology, the controller of the end user data collected through the use of HANDLE services is the customer. By using the HANDLE Services, a customer is not sharing end user data with HANDLE, but HANDLE is acting as an external processor of the data. HANDLE does not utilize end user information for any other purpose than providing and maintaining the Service as agreed and does not share end user information with any third party. - Information about the end user is collected to us through a mobile application installed by the end user. - The end user accepts the permission to using their location in the application by giving the application a permission to use their location and Bluetooth information. - It is the responsibility of a HANDLE. customer to inform their end users about what information is collected about their end users, and that the information is used in the customer’s solutions in a Local Data Protection Regulations compliant manner. - End user data is collected under a pseudonymized Visitor ID. Visitor ID is UUID-formatted id that is generated based on timestamp. - Visitor ID remains the same, when the application is updated, but it is regenerated, if the application in deleted and re-installed. In the operating system level, due to operating system limitations, the old Visitor ID may be stored up to 36 hours. HANDLE leaves no permanent tracking mechanism to the mobile device after the application has been deleted. - The data that we collect under the Visitor ID consists of their device’s device build information object, and the location data detailed below. The content of the device build information object varies by device manufacturer and operating system version. - This information is collected in order for our customers to be able to provide location-specific Services to their application’s end users in the extent that they have designed. Device build information is collected in order to be able to analyse potential device-specific differences in error situations. - The location data collected for each Visitor ID includes information about the device’s current and historical location. The location information from the device is collected electronically using multiple methods, including but not limited to GPS, Bluetooth BLE beacons, WiFi networks, cellular networks, gyroscope (IndoorAtlas), LiFi or any other technology defined by the customer. Based on significant location change, latitude, longitude, timestamp, and potential contextual information about the location is stored under the Visitor ID. - The precision of the location information depends on a variety of factors, such as deployed technologies, mobile device make and model, mobile device settings and the physical surroundings. This information may be in some instances collected even when the application is not in active use or when the user has manually disabled location and Bluetooth from the mobile device, depending on the phone model and customer settings. - A customer may control if and where this location information is collected by disabling the HANDLE library in their application or using geofence-only positioning. Geofence-only positioning limits the collection of end user location data to the area defined with geofences by the user. - HANDLE does not collect information about any other activity taking place on the mobile device, such as phone calls, text messages or email. - HANDLE collects no personally identifiable information about the end users, such as names, email addresses, MAC addresses or Advertising IDs. A customer is not allowed to use the HANDLE platform for storing any personal sensitive information under the Visitor ID. Note that in some legislations the totality of information collected under the Visitor ID is considered as personal information. - In order to be able to comply with the Local Data Protection Regulations requirements, HANDLE customer needs to have a method of identifying the Visitor ID of each end user, in case an end user requests to receive their data. This could be for example implemented in the mobile application, or by storing the Visitor IDs in the customer’s end user database. HANDLE will comply all such requests within 30 days, when we are given the specific Visitor ID, and it belongs under the Organization that the customer represents. - Similarly, we will delete all data collected under a specific Visitor ID within 30 days from the request. - Because HANDLE has no method for identifying individual Visitor IDs, we cannot directly comply with end user requests coming to us. - From the collected end user location data, a completely anonymized (stripped of all Visitor IDs and customer organization IDs) duplicate is stored in HANDLE archives for generating and analysing overall trends. This data is no longer considered as personal data. HANDLE also reserves the right to use this anonymized agglomerated data for other purposes. For highly sensitive use cases it is possible to agree on exception to this policy, based on a separate agreement and separate pricing policy. - In order to keep the end user information current and relevant, the end user information is deleted at frequent intervals. By default, these intervals will range from 3 months to one year, depending on the pricing plan the customer has subscribed to. Thereafter the data is stored in anonymized format in HANDLE archives in perpetuity. - All data is stored within EU on GDPR compliant service provider servers, behind firewalls. - The company has also HR policies and technical barriers limiting which team members have access to end user data. Access is only enabled for those technical team members, who need it for maintaining the operation of the HANDLE Services, only to the extent required for that purpose. A customer may also grant temporary access to their account to other team members for them to support solving potential technical issues. - Please note that utilizing location in a mobile application means that you also enable positioning through Google and Apple APIs. See their respective privacy policies: https://policies.google.com/privacy, https://www.apple.com/legal/privacy/en-ww/. 3. Marketing Register - The marketing register consists of persons, who has expressed interest in the HANDLE Services by registering for a trial, sending us an email, SMS, WhatsApp message or similar, called us, approached us in social media, filling in a contact from on our website, downloaded a case study or other content on our website, signed up for our newsletter, has given their contact details to us at a trade fair or other event, booked a meeting with us, has discussed with us on the chat on our website or web portal or commented on our blog. Or a person we have identified as a potential customer, and reached out to by phone call, email, social media or similar means. - For the sake of clarity, all such persons will be titled as leads. - This information is mainly used for the purpose of responding to their questions, give pre-sales support, inform them about HANDLE features and functionality, and handling other HANDLE usage -related issues. - We may, also use lead information to send them information about our new updates, products and Services, which may be of interest to them through newsletters. - Before adding any leads to the newsletter recipient list, we will ask for an explicit permission for that either on our website or through other means of communication. - All newsletters will include an unsubscribe-button that allows leads to opt out from them. - This information is collected on information systems and equipment that are in use by the company and which are in compliance with the Local Data Protection Regulations requirements and are adequately protected. These include, but are not restricted to: CRM, chat software, email software, invoicing and credit card processing software, internal company documentation, company database, computers and mobile devices used by the company’s staff. - The information is collected from information provided by the customer themselves. - The information that we collect: -Name -Email -Phone number -Job title -User category (Marketer, salesperson, developer etc) -Twitter ID or other social media username -Notes on the interaction with the customer -IP-address and approximate location -Information on the device used to contact us (browser, platform, device, user agent) - A customer may modify this information collected about you by contacting our support at info@handlemaps.com. - As this information is needed for providing our Services to you, a customer may only be deleted from our register after a request, if they are no longer a paying customer, and more than 12 months have passed since the contract between HANDLE and the customer has terminated. This excludes any information written in invoices, receipts, contracts and other legally binding documents, which are preserved for legal purposes in perpetuity. 4. General notes on security and sharing information - We have implemented commercially reasonable precautions, including, where appropriate, password protection, encryption, firewalls, and internal restrictions on who may access data to protect the information we collect. However, no data security measures can be 100% reliable. In the event that the security of the personal information we have collected has been compromised, we will take reasonable steps to investigate the situation and to notify our Customers. Please make sure to protect your account from unauthorized use by keeping your password safe and signing off your account after using the Services on a shared computer. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity. - By default, we will not share any customer, end user or lead information with any third party. For some parts of our Services we use third-party service providers. We only utilize contractors, who comply with the Local Data Protection Regulations requirements. We only disclose personal information that is necessary for performing such functions (such as payment processing, email posting, chat provider, accounting) to the third-party vendors, service providers, contractors or agents who perform these functions on our behalf. Third party providers are not allowed to utilize or share this information in any other way. - We may share your personal information only in the following instances: 1. Business Transfers:If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer all of the personal information gathered by us to the other company. If such situation would happen, we would make our best effort to ensure personal information will be handled as carefully in the future as stated in this Privacy Policy. 2. Legal and Regulatory Requirements:We also may disclose personal information collected if we determine, in our sole discretion, that we are required to do so under applicable law or regulatory requirements. 3. To Protect Us and Others: We also may disclose the information if we reasonably believe disclosure is necessary to prevent harm or financial loss, or in connection with investigating or preventing fraud or illegal activity, situations involving potential threats to the safety of any person, and/or to enforce our Terms of Use. 4. Aggregate and De-Identified Information: We may aggregate or remove information of personally identifying characteristics, and then share that aggregated or anonymized information about users with third parties for marketing, advertising, research or similar purposes. 5. Case studies and references: We may publicize case studies and reference on our website and other communication that includes customer personal information. We will never do that without an explicit permission from the customer in question. 5. Links to Third-Party Websites and Services Our Services may contain links to third-party websites and services. This Privacy Policy does not cover such third-party websites or services, but they are governed by their own privacy policies. We are not responsible for their information protection practices but encourage you to familiarise yourself with their privacy policies. 6. Children’s Privacy Our Services are not designed for children under 13. If we discover that personal information has been collected from a child under 13, we will delete the information as soon as possible. 7. Changes to this Privacy Policy We reserve the right to change this Privacy Policy from time to time. Any changes will be updated to this page and indicated in the “revised” date on top of the document. Significant changes to the Privacy Policy, as determined by us in our sole discretion, will be also announced on the HANDLE website, http://handlemaps.com or through an email notification. Please check back to this document regularly for possible updates. Your continued use of our Services after possible changes indicates your acceptance of the updated Privacy Policy. 8. Contact Us If you have any questions about this Privacy Policy or any other aspect of our Services, please contact us at info@handlemaps.com or at: Sara Aloraini Handle Platform Anas bin Malik, Narjis. Riyadh, Saudi Arabia. HANDLE All Rights Reserved 2021.